6506-sup720 with FWSM and SPA-IPSEC-2G. Where do I terminate VPNs?

Unanswered Question


I am dealing with SPA-IPSEC-2G 1st time in my life. I have a 6506 switch here with FWSM and SPA-IPSEC-2G modules. The configuration we have has 9 VLANs separated by the FWSM. Vlan 10 is configured as outside interface on FWSM and have public IP assigned. I need to terminate some site-to-site VPNs. Where do I terminate those?

As per SPA-IPSEC-2G documentations, its done on the 6500 Sup. However in my case, there is no Layer-3 interfaces on the Sup at all since all the VLANs are switched by FWSM. Is there a way to tell FWSM to use SPA-IPSEC-2G module for any encryption work and configure all VPNs in FWSM?

Below is "show mod" from my switch.

Router#sh mod

Mod Ports Card Type Model Serial No.

--- ----- -------------------------------------- ------------------ -----------

1 6 Firewall Module WS-SVC-FWM-1 SAD114104CE

2 0 2-subslot Services SPA Carrier-400 7600-SSC-400 JAE1138XBQE

3 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAL1135ZCK5

5 2 Supervisor Engine 720 (Active) WS-SUP720-3B SAL11370RNN

Mod MAC addresses Hw Fw Sw Status

--- ---------------------------------- ------ ------------ ------------ -------

1 001d.45fd.19d2 to 001d.45fd.19d9 4.2 7.2(1) 2.3(4) Ok

2 001a.2f0c.bf68 to 001a.2f0c.bfa7 2.0 12.2(18)SXF1 12.2(18)SXF1 Ok

3 001d.45ba.07f0 to 001d.45ba.081f 2.6 12.2(14r)S5 12.2(18)SXF1 Ok

5 0016.c85e.d680 to 0016.c85e.d683 5.4 8.4(2) 12.2(18)SXF1 Ok

Mod Sub-Module Model Serial Hw Status

---- --------------------------- ------------------ ----------- ------- -------

2/0 2 Gbps IPSec SPA SPA-IPSEC-2G JAE1141ZU32 1.0 Ok

3 Centralized Forwarding Card WS-F6700-CFC SAL1135Z6Z5 4.0 Ok

5 Policy Feature Card 3 WS-F6K-PFC3B SAL11370KJ7 2.3 Ok

5 MSFC3 Daughterboard WS-SUP720 SAL11370PYG 3.0 Ok

Thanks in advance,

Sam Munzani

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Thu, 11/22/2007 - 00:35

Hi Sam

I haven't used the SPA-IPSEC-2G card but i do know the FWSM and you cannot configure VPN's on this module.

Do you have an MSFC in your 6500 chassis ?. Could you not allocate the public IP address to the a L3 interface on the MSFC and then have a separate vlan for use between the MSFC and the FWSM outside interface.

Obviously without knowing your full topology this might not help as you may have many other vlans routing off your MSFC (if you have one).


Jon Marshall Thu, 11/22/2007 - 10:05

Hi Sam

I'm making a couple of assumptions based on your postings

1) You can terminate the VPN's on a L3 interface on the 6500 ie. a vlan interface, which you seem to be suggesting is what the docs say

2) You have no non-firewalled vlans on the 6500 chassis ie. all the vlans have their L3 interfaces on the FWSM.

If the above assumptions are correct i would

1) Create a L3 SVI interface for vlan 10 and move the public IP of the FWSM outside interface to that L3 SVI.

2) Create a new vlan eg vlan 20 which will act as the vlan that connects your MSFC to your outside interface of the FWSM. This vlan can use private addressing.

3) Terminate VPN's on the L3 SVI and then have routes for the firewalled vlans pointing to the outside interface of your FWSM.

As long as you do not have any other vlans with L3 interfaces on your switch then this is still secure because to get to any of the vlans on the 6500 (apart from the vlan 10 & 20) you have to go through the FWSM.

Does this make sense ?



Logically it makes sense. However where the public NATs will take place? FWSM doesn't have outside interface using public IPs anymore and we have web servers that need to do public NATs.

Does that mean, I have to acquire another public addr. block for the outside interface of FWSM which will be new vlan 20 as per the discussion?

Can something like below would work?

1. Keep FWSM outside interface in vlan10 as is now and let it have a public address in /29 zone and keep NATs there.

2. However create a new VLAN on FWSM where VPN module's inside interface will go. VPN module's outside interface stays in VLAN10(public IP zone).

In summary, what if we keep public interface of FWSM and VPN module parallel and place VPN's inside to a DMZ on FWSM. I will need some static routes on FWSM to force VPN traffic through VLAN20(through VPN blade).



Jon Marshall Thu, 11/22/2007 - 10:24


The 6500 can do NAT anyway so you could just do the NAT on the switch itself and have the FWSM do not NAT as such.

So vlan 10 L3 interface on the MSFC will be "ip nat outside" and vlan 20 L3 interface on MSFC would be "ip nat inside".

I don't see why this wouldn't work but i don't have a VPN card for our 6500 in the lab so i guess you would need to test it quite thoroughly.


Jon Marshall Thu, 11/22/2007 - 11:20


No problem. Also responded to your last post before i saw your possible solution. Sounds like it could work and may well be a better solution.

Let me know how you get on



This Discussion